LPSE Indonesian Government Data Breach Exposes Tender Data, Winner Details, and Tax IDs

LPSE Indonesian Government Data Breach Exposes Tender Data, Winner Details, and Tax IDs

Data breaches in Indonesia have emerged as a serious and persistent issue in the digital realm. Despite concerted efforts to fortify the security of personal and corporate data, cyberattacks, data breaches, and illicit activities continue to plague the landscape. These data breaches pose significant threats to the privacy, financial security, and reputations of both individuals and organizations.

Efforts to bolster cybersecurity and raise awareness regarding cyber threats are imperative for Indonesia to effectively combat this problem. With the relentless evolution of technology and the growing dependence on digital data, the challenges in safeguarding data integrity have become increasingly pressing. Collaboration between the government, private sector, and the broader community is pivotal in confronting the looming specter of data breaches in the future.

In the context of collaboration between the government and the private sector, the Layanan Pengadaan Secara Elektronik (LPSE), or Electronic Procurement Service, serves as a mediator in data management and the procurement processes for goods and services in Indonesia. 

However, a concerning development emerged on September 15, 2023, when a threat actor known as "matrixpoint" posted on a breach forum, revealing tender data, winner details, and NPWP (tax identification numbers) belonging to LPSE from 2020 to 2023.

In the thread shared by the threat actor, it appeared as if the data had been directly extracted from the LPSE database, with the use of database query commands such as "INSERT." However, the validity of the data leak shared by the threat actor "matrixpoint" remains unverified.

The sample data provided by "matrixpoint" from the LPSE database includes fields such as "id, kode, nama_tender, jenis_pengadaan, satuan_kerja, pagu_value, hps_value, pemenang, alamat, npwp, harga_penawaran, harga_terkoreksi, harga_negosiasi, harga_kontrak, nilai_pdn, nilai_umk, reverse_auction, tanggal_edit, url, and tahun"

As of the time of this article's publication, there has been no official response from LPSE regarding the veracity of the leaked data, and whether it indeed originates from the LPSE database.

However, upon closer examination, the provided data includes the domain "lpse.gowakab.go.id" along with URLs leading to evaluation data. This suggests that the data breach may have originated from this subdomain, though it cannot be definitively confirmed as data stored in databases may sometimes intermingle with data from other domains.

Figure 1: URL Private data LPSE

Furthermore, a deep inspection of the URLs in the data reveals that they do not grant permission for public access. This implies that the data shared by the threat actor "matrixpoint" likely represents sensitive database information that should not be publicly accessible.

In conclusion, the issue of data breaches in Indonesia is a matter of grave concern, necessitating collaborative efforts and heightened cybersecurity measures. While the authenticity of the leaked data remains unverified, it underscores the importance of robust data protection strategies and vigilance in the digital age.